in rules/customer-fc/ecs_security_group_has_specified_cidr.py [0:0]
def evaluate_configuration_item(rule_parameters, configuration_item):
# 示例中要检测的cidr参数名为checkCidr,实际应用中可以自行设定名称
param_cidr = rule_parameters["checkCidr"]
compliance_type = COMPLIANCE_TYPE_NON_COMPLIANT
annotation = None
full_configuration = configuration_item['configuration']
configuration = parse_json(full_configuration)
service_managed = configuration["ServiceManaged"]
if service_managed:
compliance_type = COMPLIANCE_TYPE_NOT_APPLICABLE
return compliance_type, annotation
permission_list = configuration["Permissions"]['Permission']
for permission in permission_list:
policy = permission["Policy"]
direction = permission["Direction"]
source_cidr_ip = permission["SourceCidrIp"]
if policy == "Accept" and direction == "ingress" and source_cidr_ip == param_cidr:
compliance_type = COMPLIANCE_TYPE_COMPLIANT
return compliance_type, annotation
annotation = json.dumps({'configuration': '', 'desiredValue': param_cidr, 'operator': 'Equals'})
return compliance_type, annotation